X-Git-Url: https://git.stderr.nl/gitweb?a=blobdiff_plain;f=etc%2Fpam.d%2Fcommon-account;h=9d8619edfdc269bf39a77030f4cf178daba510d8;hb=1b4d31c20a6034fbe5fcc6f6c358e6449d1db54e;hp=c2e28cb63cfba5a05ecd5a4ac3d131dea167b1b9;hpb=6729d356bc9bb1c6b0e625fd68d2c4cdc3ed75fa;p=matthijs%2Fservers%2Fdrsnuggles.git

diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account
index c2e28cb..9d8619e 100644
--- a/etc/pam.d/common-account
+++ b/etc/pam.d/common-account
@@ -9,9 +9,11 @@
 # Default was:
 #account	required	pam_unix.so
 #
-# LDAP config copied from http://wiki.debian.org/LDAP/PAM
-account     required      pam_unix.so
-account     sufficient    pam_succeed_if.so uid < 1000 quiet
-account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
-account     required      pam_permit.so
+# pam_unix does general checks based on NSS info, so it also works for ldap
+# users.
+account		required        pam_unix.so
 
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute) but needs to be ignored when it does not know about a user.
+account         [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
+                                pam_ldap.so